b"              OFFICE OF\n       THE INSPECTOR GENERAL\n\n  SOCIAL SECURITY ADMINISTRATION\n\n\nTHE PHYSICAL SECURITY OF THE SOCIAL SECURITY\n  ADMINISTRATION\xe2\x80\x99S CONTRACTOR OWNED AND\n     OPERATED OFF-SITE STORAGE FACILITY\n\n      September 2012       A-14-12-11227\n\n\n\n\n    AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                              SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      September 14, 2012                                                                            Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Physical Security of the Social Security Administration\xe2\x80\x99s Contractor Owned and\n           Operated Off-site Storage Facility (A-14-12-11227)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the physical security at the Social Security\n           Administration\xe2\x80\x99s (SSA) contractor owned and operated off-site storage facility for the\n           Second Support Center (SSC) complied with Federal laws, regulations, and contract\n           requirements.\n\n           BACKGROUND\n           Federal standards provide distinct criteria for contingency, continuity of operations, and\n           disaster recovery planning. 1 To help protect SSA\xe2\x80\x99s data for contingency processing and\n           disaster recovery purposes, the Agency modified its contract. The total cost of the\n           contract was approximately $3.5 million.\n\n           This contract provides transportation and media vault storage services for the SSC as\n           part of the Agency\xe2\x80\x99s Disaster Recovery Program. Under this contract, SSA stores\n           current copies of all procedures, computer programs, operating instructions, and critical\n\n           1\n             Office of Management and Budget (OMB) Circular A-130, Security of Federal Automated Information\n           Resources, Appendix III requires that agencies maintain disaster recovery and continuity of operations\n           plans for all information technology installations should events occur that prevent normal operations at the\n           installation. Federal Information Security Management Act of 2002, Pub. L. No. 107-347, Title III, Section\n           301 \xc2\xa7 3544(b)(8), 44 U.S.C. \xc2\xa7 3544(b)(8) requires that each agency develop, document, and implement\n           an agency-wide information security program that includes plans and procedures to ensure continuity of\n           operations for information systems that support the operations and assets of the agency. National\n           Institute of Standards and Technology (NIST), p.10, May 2010, Special Publication 800-34 Revision 1,\n           Contingency Planning Guide for Federal Information Systems, states disaster recovery plan applies to\n           major, usually physical disruptions to service that deny access to the primary facility infrastructure for an\n           extended period. A disaster recovery plan is an information system-focused plan designed to restore\n           operability of the target system, application, or computer facility infrastructure at an alternate site after an\n           emergency.\n\x0cPage 2 - The Commissioner\n\n\ndata at secure, remote vault facilities maintained by the contractor. SSA also acquired\nstorage services for a Secondary off-site storage facility 2 as a backup for the SSC\nPrimary off-site storage facility. Until SSA is confident it can back up all critical\nworkloads housed at its SSC to its National Computer Center and from the National\nComputer Center to the SSC with 1 hour loss of data, the off-site storage facility is\ncritical to SSA\xe2\x80\x99s operations. In the event of a catastrophic event at either data center,\nthe Agency would have a backup of its critical workloads. 3\n\nTo meet our audit objectives, we (1) reviewed and compared physical security criteria\nfor off-site storage facilities to the physical security observed at the contractor\xe2\x80\x99s off-site\nfacilities, (2) examined the current contract and modifications; (3) conducted a physical\nsecurity review of the contractor\xe2\x80\x99s Primary and Secondary off-site storage facilities;\n(4) observed the transport of SSA\xe2\x80\x99s media between the SSC and the contractor\xe2\x80\x99s\nPrimary and Secondary off-site storage facilities; and (5) interviewed SSA and\ncontractor personnel. The scope of this review was limited to the contract\xe2\x80\x99s physical\nsecurity requirements.\n\nRESULTS OF REVIEW\nBased on our audit results, 4 we determined the physical security at the contractor\xe2\x80\x99s off-\nsite storage locations generally complied with Federal laws; regulations; and some, but\nnot all, of the contract requirements. We believe the issues discussed below could have\nbeen prevented with improved contract oversight performed by SSA.\n\nDuring our review, we noted areas where the contractor needed to improve its physical\nsecurity at its off-site locations to comply with contract requirements. Specifically, we\nfound that the contractor should improve\n\n\xe2\x80\xa2     access controls to SSA\xe2\x80\x99s media;\n\xe2\x80\xa2     environmental controls; and\n\xe2\x80\xa2     fire protection for its Secondary off-site storage facility\xe2\x80\x99s vault.\n\n\n\n\n2\n The Secondary storage facility serves as a form of disaster recovery insurance against an event, or\nseries of events, affecting the National Computer Center, SSC, Primary off-site storage facility, and\nvehicles transporting SSA media during the same period. This facility will be used to store an older/aged\nset of media collected under SSA's tape backup procedures.\n3\n    Enumeration and claims administration for benefits and post-entitlements under Titles II and XVI.\n4\n During our audit, we reviewed the physical security criteria for off-site storage facilities, interviewed\ncontractor and SSA management, and observed the contractor\xe2\x80\x99s two off-site locations and the process\nused to deliver SSA\xe2\x80\x99s media to the off-site facilities.\n\x0cPage 3 - The Commissioner\n\n\nAccess Controls to SSA\xe2\x80\x99s Media\n\nDuring our review, we found access to SSA\xe2\x80\x99s media was not limited to authorized and\nadjudicated 5 contractor employees, as required by the contract. This occurred because\nthe contractor did not limit access to SSA\xe2\x80\x99s media from other customers\xe2\x80\x99 media or only\ncontractor employees who had proper SSA suitability determinations. We discussed\nthese issues with the contractor, which stated that all of its employees needed access to\nthe vaults to service the contractor\xe2\x80\x99s other clients.\n\nAccording to the contract, \xe2\x80\x9cThe contractor shall provide controlled access to the storage\nvault/facility.\xe2\x80\x9d 6 Also, \xe2\x80\x9c\xe2\x80\xa6only individuals who have been adjudicated by SSA can have\naccess to the vault where SSA\xe2\x80\x99s data is stored.\xe2\x80\x9d 7 In addition, the contract required that\nall contractor employees (truck drivers, contractor management, etc.) who visit an SSA\nfacility obtain a credential 8 after the Agency conducts a favorable background\ninvestigation.\n\nSSA\xe2\x80\x99s media is stored in sliding storage cabinets 9 at both the Primary and Secondary\noff-site storage vaults. The cabinets are aligned in rows, and each cabinet has vertical\nslide-out drawers with shelves for media storage. While SSA\xe2\x80\x99s media is stored in an\nindividual cabinet, the cabinets are not individually locked. The contractor used a cable\nto lock each group of cabinets as opposed to locking each cabinet individually. As a\nresult, the contractor\xe2\x80\x99s employees can access SSA\xe2\x80\x99s cabinets when accessing other\ncustomer\xe2\x80\x99s cabinets. Furthermore, not all contractor employees who had access to\nSSA\xe2\x80\x99s media had a background check and had been properly adjudicated by SSA.\n\nAt the time of our visits, 10 SSA had given only 4 of the 17 contractor employees at the\nPrimary storage facility and 7 of 29 contractor employees at the Secondary storage\n\n\n\n\n5\n Appropriate background investigations are required for all contractors before they begin work under this\ncontract and/or access SSA systems, information, and facilities. Section E-18, b.\n6\n    Section C-4, A. fifth paragraph, first sentence.\n7\n    Section C-4, A. fifth paragraph, second sentence.\n8\n  For Federal agencies, a credential is a Government-issued card/badge used to prove an individual\xe2\x80\x99s\nidentity. SSA issues credentials to employees and contractors whom it determines are suitable. An\nemployee or contractor can use the credential to gain access to a Government facility, computer systems,\nor information.\n9\n At the time of our review, SSA was storing approximately 3,400 tapes at the Primary storage facility and\n2,400 tapes at the Secondary storage facility.\n10\n     We visited the facilities during the week of January 9, 2012.\n\x0cPage 4 - The Commissioner\n\n\nfacility the appropriate background check. 11 In addition, three truck drivers from the\nPrimary storage facility had not received a proper background check and therefore did\nnot get the proper credentials to access SSA\xe2\x80\x99s facilities to pick up the Agency\xe2\x80\x99s back-up\nmedia. However, the four drivers from the Secondary storage facility had received a\nproper background check but did not have the proper credentials to access SSA\xe2\x80\x99s\nfacilities.\n\nAs a result, SSA\xe2\x80\x99s sensitive media is at risk of loss of confidentiality, integrity, and\navailability. Therefore, we recommend SSA ensure the contractor stores the Agency\xe2\x80\x99s\nmedia in individually locked cabinets that can only be accessed by contractor\nemployees who received proper adjudication by SSA.\n\nEnvironmental Controls\n\nDuring our review, we found the following environmental control concerns that could\nsubject SSA\xe2\x80\x99s media to loss or damage.\n\n1. The contractor may not have been able to timely restore vault temperature and\n   humidity to acceptable levels when environmental readings fall outside the\n   acceptable ranges.\n2. The contractor was not able to monitor temperature and humidity levels in the trucks\n   that transported SSA\xe2\x80\x99s media.\n3. The contractor did not implement safeguards to prevent loss or damage to SSA\xe2\x80\x99s\n   media from electronic/radiation threats. 12\n\nRestoration of Vault Temperature and Humidity Levels\n\nWe found that during non-operating hours (11:30 p.m. to 7 a.m.), the contractor relied\non a third-party contractor to monitor and report the temperature and humidity levels in\nthe storage vaults. However, when the temperature and humidity levels fell outside\nacceptable levels, 13 the contractor was unable to immediately restore the temperature\nand humidity levels to the required levels.\n\n\n\n\n11\n  The contractor stated that 16 of its 46 employees worked on SSA\xe2\x80\x99s contract, but all 46 employees had\naccess to the vault where SSA\xe2\x80\x99s media was stored. The contractor provided a list of all its employees for\nboth of the off-site storage locations and a list of employees who only worked on SSA\xe2\x80\x99s contract. In\naddition to the contractor\xe2\x80\x99s lists, we received a list from SSA. However, we could not reconcile these lists;\ntherefore, we used the total employees from the contractor\xe2\x80\x99s list.\n12\n     We consider magnetic threats to be a part of electronic/radiation threats.\n13\n   NIST standards require temperature readings to be minimum of 60 degrees Fahrenheit and maximum\nof 70 degrees Fahrenheit. Also, humidity readings must be 35 percent minimum and 45 percent\nmaximum. The contract allows for a +/- 5 percent variation for temperature and humidity levels.\n\x0cPage 5 - The Commissioner\n\n\nThe contract states that \xe2\x80\x9c. . . the facility shall be temperature and humidity controlled in\naccordance with NIST standards.\xe2\x80\x9d 14 Federal standards require that agencies\xe2\x80\x99 media be\nstored in an environment where temperature and humidity levels must be maintained\nwithin a specific range. 15\n\nWe discussed this issue with the SSA representatives, who told us the contractor stated\nthat when the temperature and humidity levels are improper, the contractor requests a\nservice visit from a heating, ventilation, and air conditioning vendor at the first\nopportunity and arranges for the unit to be assessed within 24 hours. 16 However, we\nare concerned that process could take more than 1 day, thereby exposing SSA\xe2\x80\x99s media\nto loss or damage.\n\nTransportation of SSA\xe2\x80\x99s Media\n\nWe found SSA\xe2\x80\x99s contractor did not implement environmental controls to monitor and\nrecord temperature readings in the trucks used to transport SSA\xe2\x80\x99s media to the\nSecondary storage facility.\n\nAccording to the contract, the contractor\xe2\x80\x99s trucks should maintain a temperature\nbetween 50 and 80 degrees Fahrenheit at all times while carrying cargo. 17 Moreover,\nthe contractor should take daily temperature readings in the cargo area and supply SSA\nwith those readings monthly as part of the required report documentation. 18 Further, the\ncontract requires weekly pick-ups to the Secondary storage facility.\n\nOn January 10, 2012, we observed the contractor transporting and receiving SSA\xe2\x80\x99s\nmedia from the Secondary storage facility to SSA\xe2\x80\x99s SSC. The temperature on that day\nwas below 50 degrees Fahrenheit. Additionally, the average temperature in the region\nwhere the Secondary storage facility is located ranges from a low of 30 degrees\nFahrenheit to over 80 degrees Fahrenheit. The contractor must monitor and maintain\nthe temperature and humidity levels in its delivery trucks to protect SSA\xe2\x80\x99s media from\nextreme cold, heat, or humidity.\n\nWe requested the technical proposal the contractor submitted in response to SSA\xe2\x80\x99s\nRequest for Proposal. SSA\xe2\x80\x99s Request for Proposal requires that the delivery truck\xe2\x80\x99s\ntransport area be closed to the driver by a solid wall and securely locked while in use.\n\n14\n     Section C-4, B.\n15\n     National Archives and Records Administration 36 C.F.R., 1236.28 (a) (1) (2).\n16\n  During operating hours, when temperature and humidity levels are improper, the contractor implements\nthe same process for operating hours to restore readings to normal. According to SSA, the contractor\nstated the third party heating, ventilation, and air conditioning vendor is required to respond and repair the\nunit within 4 to 6 hours the same day of the service request.\n17\n     Section C-4, H.\n18\n     Id.\n\x0cPage 6 - The Commissioner\n\n\nIn addition, cargo must be kept at 50 to 80 degrees Fahrenheit at all times while it is\nbeing transported. Finally, SSA required that the contractor use appropriate equipment\nto take daily temperature readings in the cargo area and supply these readings each\nmonth as part of the required report documentation.\n\nThe contractor responded,\n\n     We customize our pickup, delivery and tape rotation schedules around your\n     backup requirements and business needs. Your backup media is transported in\n     our environmentally controlled and secure vehicles to one of our vaults. Specially\n     screened and trained personnel ensure your data is protected from contamination,\n     exposure and security threats at all times and daily temperature readings are\n     recorded 24/7. Once a month the temperature gauge is connected to a computer\n     and the recorded readings can be printed out for SSA.\n\nWe also reviewed the Evaluation Score Sheet including the Site Visit Checklists the\nContracting Officer Technical Representative (COTR) used during the pre-award on-site\nevaluation to determine whether the transportation vehicles were inspected before the\ncontract was accepted. The COTR gave a \xe2\x80\x9cpass\xe2\x80\x9d on \xe2\x80\x9cTruck/Vehicle Requirements \xe2\x80\x93\nTemperature Controlled \xe2\x80\x93 50-80 degrees.\xe2\x80\x9d\n\nWe discussed this issue with the Agency representatives, and, according to these\nindividuals, the contractor stated the Secondary storage facility\xe2\x80\x99s trucks did not have a\nmechanism to monitor and record daily temperature readings of SSA\xe2\x80\x99s magnetic media\nduring transit. Consequently, the contractor did not meet the contract\xe2\x80\x99s requirements.\n\nIt is important that the contractor implement proper environmental controls for its trucks\nbecause SSA\xe2\x80\x99s media is sensitive to temperature. Without the proper controls to\nensure adequate temperature levels, SSA\xe2\x80\x99s media is at risk of loss or damage and may\nnot function properly when the Agency needs it for disaster recovery. Therefore, we\nrecommend SSA ensure the contractor maintains the proper temperature and humidity\nlevels as specified in the contract at all times while the Agency\xe2\x80\x99s media is in transit and\nstorage. In addition, SSA needs to ensure the contractor\xe2\x80\x99s Secondary storage facility\nprovides the Agency with the required report documentation for delivery truck\ntemperature and humidity readings as specified by the contract.\n\nProtection from Electronic/Radiation Threats\n\nWe found the contractor did not protect SSA\xe2\x80\x99s media from electronic/radiation threats.\nThe contract stated that \xe2\x80\x9c. . . the contractor shall provide a storage facility that is\nphysically secure from fire, flood, theft, and damage (physical and/or\nelectronic/radiation).\xe2\x80\x9d\n\nWe requested documentation that demonstrated the contractor\xe2\x80\x99s compliance with this\ncontract clause; however, the contractor could not provide evidence that its storage\n\x0cPage 7 - The Commissioner\n\n\nfacility provided protection from electronic/radiation threats. Further, we discussed this\nissue with the contractor. The contractor stated that lead sheathing19 was not installed\nin the vault walls during construction.\n\nThe backup media stored at the off-site facilities are critical for SSA\xe2\x80\x99s disaster recovery\nand continuity of operations. Therefore, we recommend SSA ensure the contractor\xe2\x80\x99s\nstorage facility vaults meet the contract requirements for protection from electronic/\nradiation threats.\n\nFire Protection for Secondary Storage Facility Storage Vault Needed Improvement\n\nFinally, we found the contractor\xe2\x80\x99s storage vault at the Secondary storage facility needed\nimprovement to protect SSA\xe2\x80\x99s media from loss or damage due to a fire. The contract\nrequires that the contractor provide a storage facility that is physically secure from fire\nand all fire doors provide 4 hours or greater protection. 20 However, the storage vault at\nthe Secondary storage facility only provided 1.5 hours of fire protection. We discussed\nour concerns with the contractor who stated that they plan to replace the vault doors\nwith doors having a 3-hour fire protection rating sometime in 2012. While this would be\nan improvement, the vault doors still would not meet contract requirements.\n\nWe requested the technical proposal the contractor submitted in response to SSA\xe2\x80\x99s\nRequest for Proposal. Our review of the contractor\xe2\x80\x99s technical proposal indicated that\nthe Agency requested vault doors to protect SSA\xe2\x80\x99s media from fire for 4 hours or longer.\nThe contractor responded that its \xe2\x80\x9c. . . facilities are designed and constructed in\naccordance with all applicable local and national codes. Specifically, facilities meet all\nrequirements of the local Authorities Having Jurisdiction (AHJ) and National Fire\nProtection Association (NFPA) standards 13, 25 and 72 at the time the facility was\nbuilt.\xe2\x80\x9d We reviewed the NFPA standards 13, 25, and 72 and determined that they do\nnot apply to fire door protection.\n\nWe discussed our concerns with the Contracting Officer (CO). The CO stated that the\nCOTR conducted a technical evaluation of the contractor\xe2\x80\x99s facilities before award. The\nCOTR documented the evaluation in the Evaluation Score Sheet. The COTR\xe2\x80\x99s\nevaluation indicated that the contractor\xe2\x80\x99s vault was rated as \xe2\x80\x9cexcellent.\xe2\x80\x9d 21 We reviewed\nthe Evaluation Score Sheet and determined that the COTR may not have inspected the\nvault doors and instead relied on the General Services Administration or Underwriters\nLaboratories certifications during the technical evaluation. Further, the CO replied that\n\n19\n     According to contractor, lead sheathing in vault walls deters penetration of magnetic waves.\n20\n  Section C-4, A. paragraph one states, \xe2\x80\x9cThe contractor shall provide a storage facility that is physically\nsecure from fire, flood, theft, and damage (physical and/or electronic/radiation) for backup/archival\nstorage of SSA\xe2\x80\x99s magnetic media.\xe2\x80\x9d\n21\n  According to the Evaluation Score Sheet, \xe2\x80\x9cExcellent\xe2\x80\x9d means that this area of the proposal far exceeds\nthe minimum requirements of the Request for Proposal. One or more vault(s) have certifications such as\nGeneral Services Administration or Underwriters Laboratories. Numerous major strengths exist.\nWeaknesses, if any, are very minor and very few.\n\x0cPage 8 - The Commissioner\n\n\n\xe2\x80\x9c. . . only the most important requirements were inspected; however, the contractor was\nstill required to comply with all contract requirements.\xe2\x80\x9d As a result of our review, we\nrecommend SSA ensure the contractor\xe2\x80\x99s Secondary storage facility vault doors meet\nthe contract requirements for fire protection.\n\nSSA Needs to Improve Contractor Oversight\n\nAs stated above, we believe SSA could have prevented the issues discussed in this\nreport with improved contract oversight. Agency policy states that the COTR should\nmonitor the contractor\xe2\x80\x99s performance and report progress to the CO. 22 Therefore, we\nrecommend SSA improve its oversight of this contract and timely resolve any contract\ndeficiencies with the contractor.\n\nWe discussed our concerns with the CO and the current COTR. We were told that the\noriginal COTR retired in 2011. In addition, we were told that there were no on-site\ninspections before 2012, with the exception of the pre-award site inspection. However,\nthe CO stated that because of this review, the contract will be modified in areas that\nrequire changes; but the Agency will mostly continue to enforce current requirements.\nMoreover, the COTR stated that he will work with the contractor to ensure all contractor\nemployees receive the appropriate background checks and credentials.\n\nCONCLUSION AND RECOMMENDATIONS\nWe determined that the physical security at the contractor\xe2\x80\x99s off-site storage locations\ngenerally complied with Federal laws, regulations, and some, but not all, of the contract\nrequirements. However, we noted areas where the contractor could improve the\nphysical security in the areas of access and environmental controls and fire protections\nof its storage facilities to comply with all contract provisions.\n\nTherefore, we recommend SSA:\n\n1. Ensure the contractor stores the Agency\xe2\x80\x99s media in individually locked cabinets that\n   can only be accessed by contractor employees who received proper adjudication by\n   SSA.\n2. Ensure the contractor maintains the proper temperature and humidity levels as\n   specified in the contract at all times while the Agency\xe2\x80\x99s media is in transit and\n   storage.\n3. Ensure the contractor\xe2\x80\x99s Secondary storage facility provides the Agency with the\n   required report documentation for delivery truck temperature and humidity readings\n   as specified by the contract.\n4. Ensure the contractor\xe2\x80\x99s storage facility vaults meet the contract requirements for\n   protection from electronic/radiation threats.\n\n22\n Administrative Instructions Manual System, Technical Support for Acquisitions-The Role of the\nContracting Officer\xe2\x80\x99s Technical Representative, Section 06.05.02, B.\n\x0cPage 9 - The Commissioner\n\n\n5. Ensure the contractor\xe2\x80\x99s Secondary storage facility vault doors meet the contract\n   requirements for fire protection.\n6. Improve its oversight of this contract and timely resolve any contract deficiencies\n   with the contractor.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. See Appendix C for the Agency\xe2\x80\x99s comments.\n\n\n\n\n                                         Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                               Appendix A\n\nAcronyms\nAHJ           Authorities Having Jurisdiction\nC.F.R.        Code of Federal Regulations\nCO            Contracting Officer\nCOTR          Contracting Officer Technical Representative\nNFPA          National Fire Protection Association\nPub. L. No.   Public Law Number\nNIST          National Institute of Standards and Technology\nOMB           Office of Management and Budget\nSP            Special Publication\nSSA           Social Security Administration\nSSC           Second Support Center\nU.S.C.        United States Code\n\x0c                                                                     Appendix B\n\nScope and Methodology\nTo meet the objectives of our review, we performed the following procedures.\n\n1. Examined the original and current versions of the Social Security Administration\xe2\x80\x99s\n   (SSA) off-site storage contracts and modifications.\n2. Reviewed applicable Agency contract management policies and procedures.\n3. Conducted a physical security review of the contractor\xe2\x80\x99s Primary and Secondary off-\n   site storage facilities.\n4. Observed the transport of SSA\xe2\x80\x99s media between the Second Support Center and the\n   contractor\xe2\x80\x99s Primary and Secondary off-site storage facilities.\n5. Interviewed SSA and contractor personnel.\n\nWe also reviewed the following.\n\n\xe2\x80\xa2   The Privacy Act of 1974, as amended, 5 U.S.C. 552a;\n\xe2\x80\xa2   The Federal Information Security Management Act of 2002;\n\xe2\x80\xa2   Office of Management and Budget Circular A-130, Management of Federal\n    Information Resources, Appendix III, Security of Federal Automated Information\n    Resources, February 8, 1996;\n\xe2\x80\xa2   National Institute of Standards and Technology (NIST), Special Publication (SP)\n    800-12, An Introduction to Computer Security: The NIST Handbook, October 1995;\n\xe2\x80\xa2   NIST, SP 800-53, Revision 3, Recommended Security Controls of Federal\n    Information Systems and Organizations, August 2009;\n\xe2\x80\xa2   NIST, SP 800-34 Revision 1, Contingency Planning Guide for Federal Information\n    Systems, May 2010;\n\xe2\x80\xa2   General Services Administration, Federal Specification Modular Vault Systems, AA-\n    V2737 Amendment-2, October 2006;\n\xe2\x80\xa2   Internal Revenue Service, Tax Information Security Guidelines for Federal, State,\n    and Local Agencies, Safeguards for Protecting Federal Tax Returns and Return\n    Information, Publication 1075, October 2007;\n\xe2\x80\xa2   National Archives and Records Administration 36 Codes of Federal Regulations.\n    1236.28, Subpart C Additional Requirements for Electronic Records, November\n    2009.\n\n\n\n\n                                          B-1\n\x0cWe performed our fieldwork at the contractor\xe2\x80\x99s two facilities and SSA\xe2\x80\x99s Headquarters\nfrom September 2011 through March 2012. We audited the off-site facility owner and\nthe Offices of Systems and Budget, Finance and Management. We conducted this\nperformance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n\n\n                                        B-2\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      September 5, 2012                                                       Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Dean S. Landis /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cPhysical Security of the Social Security\n           Administration\xe2\x80\x99s Contractor Owned and Operated Off-site Storage Facility\xe2\x80\x9d (A-14-12-11227)\xe2\x80\x94\n           INFORMATION\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Amy Thompson at (410) 966-0569.\n\n           Attachment\n\n\n\n\n                                                          C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cPHYSICAL SECURITY OF THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nCONTRACTOR OWNED AND OPERATED OFF-SITE STORAGE FACILITY\xe2\x80\x9d\n(A-14-12-11227)\n\n\nGENERAL COMMENT\n\nPage 8, last paragraph, last 2 sentences read:\n\n\xe2\x80\x9cSSA\xe2\x80\x99s media stored at these off-site locations are critical to the Agency\xe2\x80\x99s ability to recover quickly from\na catastrophic disaster. The loss or severe damage to these media could significantly delay SSA\xe2\x80\x99s ability\nto continue operating and serving its customers.\xe2\x80\x9d\n\nComment\n\nPlease remove or revise these statements, as it is incorrect to associate quick disaster recovery\ntime with a media tape-based environment. We have essentially eliminated our reliance on tape\nmedia for continuity of operations in all but the least likely disaster scenarios. The duplication of\ndata between the National Computer Center and Second Support Center is our primary method\nof data recovery. During the June 2012 disaster recovery exercise, we demonstrated the ability\nof each center to support production workloads in a disaster scenario within the Information\nTechnology Operations Assurance Recovery Time Objective and the Recovery Point Objective\nwithout using a tape for recovery.\n\nRESPONSES TO THE RECOMMENDATIONS\n\nRecommendation 1\n\nEnsure the contractor stores the Agency\xe2\x80\x99s media in individually locked cabinets that can only be\naccessed by contractor employees who received proper adjudication by SSA.\n\nResponse\n\nWe agree.\n\nRecommendation 2\n\nEnsure the contractor maintains the proper temperature and humidity levels as specified in the\ncontract at all times while the Agency\xe2\x80\x99s media is in transit and storage.\n\nResponse\n\nWe agree with the need to maintain proper temperature. The contractor took steps to ensure\ntemperature control for the cited truck. However, there is an inconsistency in the contract with\nregard to humidity that we need to address. Under Section C-4, of the Detailed Mandatory\nRequirements contract titled \xe2\x80\x9cTransportation\xe2\x80\x9d only requires temperature monitoring, but Section\nE-11 of the contract, Subsection H, entitled \xe2\x80\x9cDeliverables\xe2\x80\x9d requires the truck reports to include\nboth temperature and humidity readings. Our requirement is for tracking temperature onlyso we\nwill modify the contract to remove the humidity requirement.\n                                                    C-2\n\x0cRecommendation 3\n\nEnsure the contractor\xe2\x80\x99s Secondary storage facility provides the Agency with the required report\ndocumentation for delivery truck temperature and humidity readings as specified by the contract.\n\nResponse\n\nWe agree with the exception of the humidity readings as noted in our response to\nRecommendation 2 above.\n\nRecommendation 4\n\nEnsure the contractor\xe2\x80\x99s storage facility vaults meet the contract requirements for protection from\nelectronic/radiation threats.\n\nResponse\n\nWe agree. However, we re-assessed this requirement and determined that the chance of loss of\ndata due to \xe2\x80\x9celectronic/radiation threats\xe2\x80\x9d is extremely rare. Additionally, we found no\nregulations mandating this level of protection. Since we determined this requirement\nunnecessary, we will modify the contract to remove the requirement.\n\nRecommendation 5\n\nEnsure the contractor\xe2\x80\x99s Secondary storage facility vault doors meet the contract requirements for\nfire protection.\n\nResponse\n\nWe agree. We researched this requirement further, and found that the minimal level of fire\nprotection for a vault door in accordance with the National Archives and Records Administration\n(NARA) Code of Federal Regulations Title 36, Chapter XII, Subchapter B Records\nManagement, Part 1234 Facility Standards for Records is three hours (class A door). Therefore,\nwe determined the four-hour requirement excessive, and we modified the contract to conform to\nthe NARA regulation. We consider this recommendation closed.\n\nRecommendation 6\n\nImprove its oversight of this contract and timely resolve any contract deficiencies with the\ncontractor.\n\nResponse\n\nWe agree.\n\n\n\n\n                                               C-3\n\x0c                                                                         Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n\n   Grace Chi, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Tina Nevels, Auditor\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff at (410) 965-4518.\nRefer to Common Identification Number A-14-12-11227.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"